From ccf8a72ae386ae139e1b9e9ffb0ee2b56881a828 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 18 2007 21:33:00 +0000 Subject: - Fix vpn to bind to port 4500 - Allow ssh to create shm - Allow rshd to bind to ports > 1023 --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 16ec8ba..729db8c 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1514,3 +1514,11 @@ webadm = module # exim = module + +# Layer: admin +# Module: kismet +# +# Wireless sniffing and monitoring +# +kismet = module + diff --git a/policy-20070703.patch b/policy-20070703.patch index f094ffa..7fbeae6 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1128,8 +1128,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.0.8/policy/modules/admin/kismet.if --- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/admin/kismet.if 2007-10-18 16:33:14.000000000 -0400 -@@ -0,0 +1,328 @@ ++++ serefpolicy-3.0.8/policy/modules/admin/kismet.if 2007-10-18 17:32:20.000000000 -0400 +@@ -0,0 +1,277 @@ + +## policy for kismet + @@ -1297,26 +1297,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + +######################################## +## -+## Allow the specified domain to manage -+## kismet log files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`kismet_manage_log',` -+ gen_require(` -+ type var_log_t, kismet_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_files_pattern($1, kismet_log_t, kismet_log_t) -+') -+ -+######################################## -+## +## Allow the specified domain to append +## kismet log files. +## @@ -1427,37 +1407,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + +') + -+######################################## -+## -+## Execute kismet programs in the kismet domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+## -+## The role to allow the kismet domain. -+## -+## -+## -+## -+## The type of the terminal allow the kismet domain to use. -+## -+## -+## -+# -+interface(`kismet_run',` -+ gen_require(` -+ type kismet_t; -+ ') -+ -+ kismet_domtrans($1) -+ role $2 types kismet_t; -+ allow kismet_t $3:chr_file rw_term_perms; -+') -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.0.8/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.0.8/policy/modules/admin/kismet.te 2007-10-18 16:30:41.000000000 -0400 @@ -3414,7 +3363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-10-03 11:10:24.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-10-18 17:16:04.000000000 -0400 @@ -36,6 +36,11 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -3448,7 +3397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -259,3 +265,9 @@ +@@ -259,3 +265,18 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -3458,6 +3407,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) +/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0) +/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0) ++ ++/etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0) ++/etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0) ++/etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0) ++/etc/apcupsd/commok -- gen_context(system_u:object_r:bin_t,s0) ++/etc/apcupsd/masterconnect -- gen_context(system_u:object_r:bin_t,s0) ++/etc/apcupsd/mastertimeout -- gen_context(system_u:object_r:bin_t,s0) ++/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) ++/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-10-17 16:11:40.000000000 -0400 @@ -15366,7 +15324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-15 13:54:06.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-18 17:22:34.000000000 -0400 @@ -132,6 +132,7 @@ init_read_utmp(udev_t) @@ -15388,6 +15346,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t brctl_domtrans(udev_t) ') +@@ -220,6 +227,10 @@ + ') + + optional_policy(` ++ raid_domtrans_mdadm(udev_t) ++') ++ ++optional_policy(` + kernel_write_xen_state(udev_t) + kernel_read_xen_state(udev_t) + xen_manage_log(udev_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-05-29 14:10:58.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2007-10-03 11:10:25.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 8910030..cb62fd4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -373,6 +373,11 @@ exit 0 %endif %changelog +* Thu Oct 16 2007 Dan Walsh 3.0.8-25 +- Fix vpn to bind to port 4500 +- Allow ssh to create shm +- Allow rshd to bind to ports > 1023 + * Tue Oct 16 2007 Dan Walsh 3.0.8-24 - Allow rpm to chat with networkmanager